/*% default configuration */
static char defaultconf[] = "\
options {\n\
        automatic-interface-scan yes;\n\
        bindkeys-file \"" NS_SYSCONFDIR "/bind.keys\";\n\
#       blackhole {none;};\n"
#if defined(HAVE_OPENSSL_AES) || defined(HAVE_OPENSSL_EVP_AES)
"       cookie-algorithm aes;\n"
#else
"       cookie-algorithm sha256;\n"
#endif
#ifndef WIN32
"       coresize default;\n\
        datasize default;\n\
        files unlimited;\n\
        stacksize default;\n"
#endif
"#      session-keyfile \"" NS_LOCALSTATEDIR "/run/named/session.key\";\n\
        session-keyname local-ddns;\n\
        session-keyalg hmac-sha256;\n\
#       deallocate-on-exit <obsolete>;\n\
#       directory <none>\n\
        dump-file \"named_dump.db\";\n\
#       fake-iquery <obsolete>;\n\
#       has-old-clients <obsolete>;\n\
        heartbeat-interval 60;\n\
#       host-statistics <obsolete>;\n\
        interface-interval 60;\n\
#       keep-response-order {none;};\n\
        listen-on {any;};\n\
        listen-on-v6 {any;};\n\
        match-mapped-addresses no;\n\
        max-rsa-exponent-size 0; /* no limit */\n\
        memstatistics-file \"named.memstats\";\n\
#       multiple-cnames <obsolete>;\n\
#       named-xfer <obsolete>;\n\
        nta-lifetime 3600;\n\
        nta-recheck 300;\n\
        notify-rate 20;\n\
#       pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
#       lock-file \"" NS_LOCALSTATEDIR "/run/named/named.lock\";\n\
        port 53;\n\
        prefetch 2 9;\n\
        recursing-file \"named.recursing\";\n\
        secroots-file \"named.secroots\";\n\
"
#ifdef PATH_RANDOMDEV
"\
        random-device \"" PATH_RANDOMDEV "\";\n\
"
#endif
"\
        recursive-clients 1000;\n\
        resolver-query-timeout 10;\n\
        rrset-order { order random; };\n\
#       serial-queries <obsolete>;\n\
        serial-query-rate 20;\n\
        server-id none;\n\
        startup-notify-rate 20;\n\
        statistics-file \"named.stats\";\n\
#       statistics-interval <obsolete>;\n\
        tcp-clients 150;\n\
        tcp-listen-queue 10;\n\
#       tkey-dhkey <none>\n\
#       tkey-gssapi-credential <none>\n\
#       tkey-domain <none>\n\
        transfer-message-size 20480;\n\
        transfers-per-ns 2;\n\
        transfers-in 10;\n\
        transfers-out 10;\n\
#       treat-cr-as-space <obsolete>;\n\
        trust-anchor-telemetry yes;\n\
#       use-id-pool <obsolete>;\n\
#       use-ixfr <obsolete>;\n\
        edns-udp-size 4096;\n\
        max-udp-size 4096;\n\
        nocookie-udp-size 4096;\n\
        send-cookie true;\n\
        request-nsid false;\n\
        reserved-sockets 512;\n\
\n\
        /* DLV */\n\
        dnssec-lookaside . trust-anchor dlv.isc.org;\n\
\n\
        /* view */\n\
        allow-notify {none;};\n\
        allow-update-forwarding {none;};\n\
        allow-query-cache { localnets; localhost; };\n\
        allow-query-cache-on { any; };\n\
        allow-recursion { localnets; localhost; };\n\
        allow-recursion-on { any; };\n\
#       allow-v6-synthesis <obsolete>;\n\
#       sortlist <none>\n\
#       topology <none>\n\
        auth-nxdomain false;\n\
        minimal-any false;\n\
        minimal-responses false;\n\
        recursion true;\n\
        provide-ixfr true;\n\
        request-ixfr true;\n\
        request-expire true;\n\
#       fetch-glue <obsolete>;\n\
#       rfc2308-type1 <obsolete>;\n\
        additional-from-auth true;\n\
        additional-from-cache true;\n\
        query-source address *;\n\
        query-source-v6 address *;\n\
        notify-source *;\n\
        notify-source-v6 *;\n\
        cleaning-interval 0;  /* now meaningless */\n\
#       min-roots <obsolete>;\n\
        lame-ttl 600;\n\
        servfail-ttl 1;\n\
        max-ncache-ttl 10800; /* 3 hours */\n\
        max-cache-ttl 604800; /* 1 week */\n\
        transfer-format many-answers;\n\
        max-cache-size 90%;\n\
        check-names master fail;\n\
        check-names slave warn;\n\
        check-names response ignore;\n\
        check-dup-records warn;\n\
        check-mx warn;\n\
        check-spf warn;\n\
        acache-enable no;\n\
        acache-cleaning-interval 60;\n\
        max-acache-size 16M;\n\
        dnssec-enable yes;\n\
        dnssec-validation yes; \n\
        dnssec-accept-expired no;\n\
        fetches-per-zone 0;\n\
        fetch-quota-params 100 0.1 0.3 0.7;\n\
        clients-per-query 10;\n\
        max-clients-per-query 100;\n\
        max-recursion-depth 7;\n\
        max-recursion-queries 75;\n\
        zero-no-soa-ttl-cache no;\n\
        nsec3-test-zone no;\n\
        allow-new-zones no;\n\
        fetches-per-server 0;\n\
        require-server-cookie no;\n\
        v6-bias 50;\n\
        message-compression yes;\n\
"
#ifdef HAVE_DNSTAP
"\
        dnstap-identity hostname;\n\
"
#endif
#ifdef HAVE_GEOIP
"\
        geoip-use-ecs yes;\n\
"
#endif
#ifdef ALLOW_FILTER_AAAA
"       filter-aaaa-on-v4 no;\n\
        filter-aaaa-on-v6 no;\n\
        filter-aaaa { any; };\n\
"
#endif

"       /* zone */\n\
        allow-query {any;};\n\
        allow-query-on {any;};\n\
        allow-transfer {any;};\n\
        notify yes;\n\
#       also-notify <none>\n\
        notify-delay 5;\n\
        notify-to-soa no;\n\
        dialup no;\n\
#       forward <none>\n\
#       forwarders <none>\n\
#       maintain-ixfr-base <obsolete>;\n\
#       max-ixfr-log-size <obsolete>\n\
        transfer-source *;\n\
        transfer-source-v6 *;\n\
        alt-transfer-source *;\n\
        alt-transfer-source-v6 *;\n\
        max-transfer-time-in 120;\n\
        max-transfer-time-out 120;\n\
        max-transfer-idle-in 60;\n\
        max-transfer-idle-out 60;\n\
        max-retry-time 1209600; /* 2 weeks */\n\
        min-retry-time 500;\n\
        max-refresh-time 2419200; /* 4 weeks */\n\
        min-refresh-time 300;\n\
        multi-master no;\n\
        dnssec-secure-to-insecure no;\n\
        sig-validity-interval 30; /* days */\n\
        sig-signing-nodes 100;\n\
        sig-signing-signatures 10;\n\
        sig-signing-type 65534;\n\
        inline-signing no;\n\
        zone-statistics terse;\n\
        max-journal-size unlimited;\n\
        ixfr-from-differences false;\n\
        check-wildcard yes;\n\
        check-sibling yes;\n\
        check-integrity yes;\n\
        check-mx-cname warn;\n\
        check-srv-cname warn;\n\
        zero-no-soa-ttl yes;\n\
        update-check-ksk yes;\n\
        serial-update-method increment;\n\
        dnssec-update-mode maintain;\n\
        dnssec-dnskey-kskonly no;\n\
        dnssec-loadkeys-interval 60;\n\
        try-tcp-refresh yes; /* BIND 8 compat */\n\
};\n\
"

"#\n\
#  Zones in the \"_bind\" view are NOT counted in the count of zones.\n\
#\n\
view \"_bind\" chaos {\n\
        recursion no;\n\
        notify no;\n\
        allow-new-zones no;\n\
\n\
        # Prevent use of this zone in DNS amplified reflection DoS attacks\n\
        rate-limit {\n\
                responses-per-second 3;\n\
                slip 0;\n\
                min-table-size 10;\n\
        };\n\
\n\
        zone \"version.bind\" chaos {\n\
                type master;\n\
                database \"_builtin version\";\n\
        };\n\
\n\
        zone \"hostname.bind\" chaos {\n\
                type master;\n\
                database \"_builtin hostname\";\n\
        };\n\
\n\
        zone \"authors.bind\" chaos {\n\
                type master;\n\
                database \"_builtin authors\";\n\
        };\n\
\n\
        zone \"id.server\" chaos {\n\
                type master;\n\
                database \"_builtin id\";\n\
        };\n\
};\n\
"
"#\n\
#  Default trusted key(s) for builtin DLV support\n\
#  (used if \"dnssec-lookaside auto;\" is set and\n\
#  sysconfdir/bind.keys doesn't exist).\n\
#\n\
# BEGIN MANAGED KEYS\n"

/* Imported from bind.keys.h: */
MANAGED_KEYS

"# END MANAGED KEYS\n\
";